Replace Authelia With Authentik Web Proxies And OAuth2

hey everyone welcome back so I said I'd be following up with an authentic video and it's probably a bit sooner than I thought but hey you guys seem to really enjoy that video and I'm Keen to not leave you in a limbo state where you might be using oauth 2.0 with authentic for some applications that support it but still having to fall back to something like orthelia for all of the apps that don't So today we're going to bridge that divide and hopefully by the end of this video you'll be in a position to completely replace orthelia now that's not a dig at orthelia or theory is a cool product but I'm taking you on a maturity Journey so athelia does what it does and it does it well but authentic gives you more access to Enterprise Technologies and eventually who knows we might get onto something like Key Club we'll keep that secret for another day so to get this working in exactly the same way that orthelia does I.E is a piece of middleware on the proxy that sits between the user trying to access it and the service that they want to access you'll see before where you get the splash screen it says to log in with orthelia that's what we're going to create here with authentic and it operates in pretty much the same way we're going to need to do some tweaks to our existing traffic config we'll get that up and running once that's up and running we'll need to go into authentic itself and do a little bit of configuration that's through the web GUI and finally we will need to append some traffic labels to any container we want to use this service and that's exactly the same way that you need to do it with orthelia with those traffic labels at the bottom so this won't be a long video I'll take you through all of the steps needed to change your existing setup and as always I'll have these config files available on GitHub that you'll just need to tweak for your setup so the first thing that we need to do is to change the docker compose file for our authentic deployment and this is to get it to run through the traffic proxy itself so that means that it's going to handle all of the SSL decryption and it's also going to give us a nice domain name to work with something like authentic.yourdomain.com so let's go through this quickly and make those necessary changes handily all of the changes that we need to make are attributed to the server container the first thing we need to do is to give the server container a name so here you can see I've called it authentic server we'll come on to why that's important later on but it's to do with the traffic middleware that we're going to have to set up and if you saw my crowdsec video it's the exact same scenario the next part is to delete the ports that are assigned to this container because we're going to be routing this through traffic so we don't need to expose the ports because we're exposing it through traffic we're going to have to add it to the proxy Network and you can see that here we're going to add all of the labels that we've added in all of my previous videos to this container so this will expose it on my network on authentic.jimsgarage.co.uk I'm exposing it on Port 9000 which if you remember in my previous video I changed due to a conflict because we're running this now through the traffic proxy we don't have that conflict so do remember to go to your dot m file and I had a section here at the top which changed the HTTP and https ports I've simply deleted those now so they will go back to their defaults once you've done that obviously add the network section to the bottom and specify that this is an external network because it's created outside of this Docker compose file and the last thing to do to make sure that this all works seamlessly is to go to each container in here and make sure it's put onto the proxy Network that means that all of the containers are going to be able to talk to each other on the same network once you've done that you need to go and force recreate this container or delete it and spin it up again whichever way you prefer and hopefully once you've done that and do remember to go and add the DNS entry into your DNS resolver you should be able to reach this on authentic.yourdomain.com and that's going to be really important for a future step but before we do that we need to make a change to traffic itself so let's head over to the traffic configuration files and make those changes so in my setup my traffic configuration files are stored in the slash Docker traffic folder and the file we're interested in changing is the config.yaml file so if we open this up you might already have a middleware here for crowdsec bouncer and that's because that's doing a similar thing it's intercepting all the traffic that goes through the proxy acting as a middleware and then doing something off the back of that and that's exactly how this is going to work with authentic and it's a similar way that orthelia works so you need to copy in this middleware here and I've called it middlewares authentic and it's going to point to your authentic server on Port 9000. now this is the reason here why we called our server authentic underscore server that's because remember Docker can resolve DNS names based on container names which is a really handy feature otherwise you could put in your full DNS name that you're going to create once you've spun this up through traffic but I recommend you just leave it as it is on screen so once you've copied this you need to save it and again you need to force redeploy traffic to pick up this new configuration so with both those Services now redeployed let's check that the changes took effect we'll start off in traffic first by checking the traffic dashboard to make sure that the middleware was picked up properly so over on my traffic dashboard you can see here that the middlewares for authentic have been picked up and it's an app file because we specified it within a configuration file everything looks to be good it's got a success status so we're ready to go and as you can see I've already attributed it to a router we'll come on to that in a moment so now we've confirmed that that's working we should now be able to head back into authentic but with a fully qualified domain name let's see that in action now so now when I head to authentic.jimsgarage.co.uk we get it through the browser and we're using our traffic and we've got a valid SSL certificate excellent this makes life so much easier than having to remember IPS and ports so I'm going to log in with the credentials I've set up in the previous video and once I'm logged in there's a couple of changes we need to make now do remember if you're using this for portina as we set up in the last video this is no longer going to work you're going to have to make some tweaks but thankfully those tweaks are straightforward and hopefully you figured out what we're going to need to change in the previous video we were accessing this via an IP in a port but now we're accessing it through a fully qualified domain name so that's the change you need to make to do that it's really straightforward and by the end of those changes you'll be able to do something like this click portana and simply log in you'll find the changes that you need to make in the provider section under the portina provider and handily because we've redeployed this now using this URL it's automatically updated all the fields that we need so if you go back into portina and remember where the oauth settings were you just need to update every reference to the IPM port instead to authentic.yourdomain.com and it should all work fine the only thing you do need to tweak is the redirect URI now needs to be the fully qualified domain name for portena and over importana you need to change that redirect URI as well to your portainer address which if you can remember is this field here so all of those should be authentic and this one here should be portana I.E the address that 14 has hosted on so that when you pass authentication you pass back to portena great let's get back on to configuring now the web proxy so what we need to create is what we can see on screen here this domain forward auth provider now to do that you need to click create you need to click proxy provider hit next and then we're going to need to fill in some of these blanks so the first thing we need to do is give it a name I've just called this domain forward auth provider and we need to give it an authorization flow we're going to give it explicit again the same in the last example and then in the next section you would think this would need to be a proxy but it's actually going to be a forward auth for the domain level and as you can read on screen that means it's going to act for every application that is on your root domain which is pretty awesome and that's how orthilia works so scrolling down we need to fill in the authentication URL which should be pre-populated is the fqdn of authentic itself and we need to give it a cookie domain now this is your root domain so in my case it's Jim's Garage dot Co dot UK it'll be whatever your root domain is so with that created go ahead and hit finish and that will dump you back onto this page now I've already completed the assignment of this so yours will say with a warning symbol here that it's not a sign don't worry that's exactly the same as in the last video we'll fix that in a moment the next step is to go to your applications and just like we did with portina we need to create a new application that is tied to that provider so again straightforward we hit create and we need to fill out some of the names so for this one I'm going to call it the domain forward auth provider just to keep it simple and the provider is going to be the domain forward auth provider that we just created so now that will get rid of the orange little symbol that you had before and it will assign it to this application so once you've created that you should be able to now head back to your providers and it will be attributed here and it will no longer have that issue you'll have a green tick great we're nearly there just a couple more steps I promise the last thing we need to do is go to the outposts now we haven't been here before and we need to create what you can see on screen so let's hit create we're going to give it a name and we're going to give it a type which has come up as proxy which is correct we'll leave the Integrations blank the dashes and the bit that's a bit confusing here and it's not very obvious you need to click this to use it once that's done make sure you scroll down here and make sure that it points to your domain name and not an IPM Port so make sure it looks something like this and then you want to hit create once that's created it should look something like this and if you haven't done it right that provider's bit here will be blank so go back double check make sure you click on that provider and that's it that's all of the configuration steps we need to have it working the final step is now to specify a container to actually go and use this service and thankfully we can do that in just one line so I'm going to use an example of an nginx container just a web server and we're going to drive it through authentic web proxy Authentication so let's go and do that now so on screen you can see that I've opened up my nginx Docker compose file and we've used this example before in previous videos but the key line that we need to add now is highlighted and if you look at it closely you can see that on the nginx Cure router we've added a middleware called middlewares authentic at file and if you cast your mind back to our traffic you can see that this is the one that we created in the traffic config.yaml so that all looks good so what you need to do now is force recreate that nginx container and when you do it should come up and ask you to authenticate before you can view the page so in my instance that's nginx.jims garage dot Co dot UK so I'll redeploy that now and I'll load up that web page and hopefully we should hit authentic and be asked to log in first so I've opened up an incognito tab just to make sure there's no funky caching going on and I recommend you do the same for any sort of testing with web proxies and authentication it can become a complete mess with caching I'm going to hit return it's going to take me straight to authentic that's exactly what we wanted and exactly what we would expect with something like orthelia let's log in now we're going to then be asked to enter a password when we click continue it's logged Us in and we're all getting Rick Rolled excellent yeah we're still getting Rick rolled in 2023 but there we go we have it we have authentic now configured with oauth 2.0 and web proxies for any of the services you have that don't support oauth 2.0 so there we go I told you it was going to be a quick video and you got a Bonus Rick Roll as well so everybody's happy so hopefully now you're in a position where you could replace orthelia if you wanted to and you'd have a platform that supports oauth 2.0 and web proxy authentication for all the apps that don't support that and in future videos we will be moving on to key cloak I'm really Keen to see what features that has as it's red hat supported is probably the biggest open source identity and access provider out there and from everything I've seen it ticks every box so as ever thanks for watching please like comment and subscribe and I'll see you on the next video take care everybody foreign [Music]